Effective Control Environments:

60
The Value of Experience Effective Control Environments: Getting the most “bang for your buck” through segregation of duties. May 12, 2008

description

Effective Control Environments: Getting the most “bang for your buck” through segregation of duties. May 12, 2008. Presented By. Lee S. Buby, CPA Haskell & White LLP SOX 404 Practice Leader [email protected]. Who We Are: - PowerPoint PPT Presentation

Transcript of Effective Control Environments:

Page 1: Effective Control Environments:

The Value of Experience

Effective Control Environments:

Getting the most “bang for your buck” through segregation of duties.

May 12, 2008

Page 2: Effective Control Environments:

Presented By

Lee S. Buby, CPA

Haskell & White LLP

SOX 404 Practice Leader

[email protected]

Page 3: Effective Control Environments:

Haskell & White LLP

Who We Are:

• Headquartered in Irvine, California, with a second office in San Diego, Haskell & White LLP is one of the largest independently owned accounting and business advisory firms in Southern California. For nearly two decades, we have successfully provided a full complement of tax, accounting and auditing services to the region's public and private middle-market companies.

Page 4: Effective Control Environments:

Haskell & White LLP

• Core Competencies– Tax Consulting and Planning – Audit and Business Advisory Services – SEC Advisory Services – Sarbanes-Oxley Compliance – Mergers & Acquisitions

Page 5: Effective Control Environments:

Haskell & White

• National Resources

• ‘Squeaky’ Clean 2007 PCAOB Opinion

Page 6: Effective Control Environments:

Segregation of Duties

Definitions

and

Misconceptions

Page 7: Effective Control Environments:

Definitions and Misconceptions (cont.)

• John Tonsick’s keynote address this morning was on FRAUD

• Statistic referenced: The Association of Certified Fraud Examiners estimates that the average U.S. business loses 5% of its gross revenue to employee fraud and abuse; that comes to about $9 per day, per U.S. employee.

Page 8: Effective Control Environments:

Definitions and Misconceptions (cont.)

This is a big problem.

Page 9: Effective Control Environments:

Definitions and Misconceptions (cont.)

Financial

And

Emotional

Aspects

Page 10: Effective Control Environments:

Definitions and Misconceptions (cont.)

“Hank”

Page 11: Effective Control Environments:

Definitions and Misconceptions (cont.)

• Association of Certified Fraud Examiners Stat: After examining 1,100 cases of occupational fraud in 2006, the ACFE said the average theft scheme costs a business about $159,000. About one-quarter of the theft schemes cost a business more than $1 million.

Page 12: Effective Control Environments:

Definitions and Misconceptions (cont.)

• Sadly, by the time a fraud scheme is uncovered, it’s safe to assume the money has already been spent. So, a lot of businesses hesitate to expend the time and energy to recoup the money. This would be throwing good money after bad…

Page 13: Effective Control Environments:

Definitions and Misconceptions (cont.)

Segregation of Duties (“SOD”)

by definition, is an anti-fraud control. It is, in fact, the most effective anti-fraud control. It prevents a single employee from being able to negatively affect a company. This is the case regardless of whether an employee wishes to do so, or might

otherwise do accidentally.

Page 14: Effective Control Environments:

Definitions and Misconceptions (cont.)

Control Types

They come in many shapes and sizes: Manual, Automated, Entity-Level, Transaction-Level, and, of course,

Preventive and Detective.

Page 15: Effective Control Environments:

Definitions and Misconceptions (cont.)

Auditing Standard No. 5 Defines each:• Preventive controls have the objective of preventing

errors or fraud that could result in a misstatement of the financial statements from occurring.

• Detective controls have the objective of detecting errors or fraud that has already occurred that could result in a misstatement of the financial statements.

Page 16: Effective Control Environments:

Definitions and Misconceptions (cont.)

My two cents worth:• Detective Control – An activity that identifies an

accounting error, whether intentional or not, after it has been recorded. This is usually a procedure performed external to the processing of transactions, designed specifically to identify errors of a specific nature.

• Examples: reviews, exception reports, reconciliations, financial analysis, etc.

Page 17: Effective Control Environments:

Definitions and Misconceptions (cont.)

My two cents worth:• Preventive Control – An activity or environmental

condition that does not allow an error, whether intentional or not, to be recorded in an accounting

ledger.

Page 18: Effective Control Environments:

Definitions and Misconceptions (cont.)

• The ability to contribute to a control environment more efficiently directly correlates to the cost/benefit effects of the ongoing operation of preventive vs. detective controls.

Page 19: Effective Control Environments:

Definitions and Misconceptions (cont.)

• Because of the preventive nature, proper SOD is the most powerful control an organization can have for either fraud or unintentional errors.

Page 20: Effective Control Environments:

Definitions and Misconceptions (cont.)

Confucius Say:

Page 21: Effective Control Environments:

Definitions and Misconceptions (cont.)

Confucius Say:

Man who run in front of car get ‘tired’.

Page 22: Effective Control Environments:

Definitions and Misconceptions (cont.)

Confucius Say:

Man who run behind car get ‘exhausted’.

Page 23: Effective Control Environments:

Definitions and Misconceptions (cont.)

Moral of the Story:Make sure the Company is the one driving the

car, controlling the speed and direction.

Page 24: Effective Control Environments:

Definitions and Misconceptions (cont.)

Segregation of Duties

“Not as simple as it sounds.”

Page 25: Effective Control Environments:

Definitions and Misconceptions (cont.)

• Segregation of Duties – Process Attributes: – Authorization– Custody of Assets– Recording– Control Activity

Page 26: Effective Control Environments:

Definitions and Misconceptions (cont.)

• Segregation of Abilities – Process Attributes: – Authorization– Custody of Assets– Recording– Control Activity

Page 27: Effective Control Environments:

Definitions and Misconceptions (cont.)

• Segregation of Abilities – Process Attributes: – Authorization and Responsibility– Access to potential (personal) benefit– Recording– Control Activity

Page 28: Effective Control Environments:

Definitions and Misconceptions (cont.)

• Example of a fraud committed without actual access to an asset:

Excerpt from an ACFE article: “An internal investigation found [She] stole thousands of dollars a week from the hotel between April 2006 and September 2007. [She] canceled non-existent reservations and ordered refunds to seven different credit cards she opened, stealing $200 to $1,100 at a time until she had taken so much money her managers had to postpone a renovation of the hotel.

Page 29: Effective Control Environments:

Definitions and Misconceptions (cont.)

Deterring the misappropriation of

assets

Deterring the

creation of liability=

Page 30: Effective Control Environments:

Definitions and Misconceptions (cont.)

• Segregation of Abilities – Process Attributes: – Authorization and Responsibility– Access to potential (personal) benefit– Recording**– Control Activity

Page 31: Effective Control Environments:

Definitions and Misconceptions (cont.)

How many organizations have appropriate segregation of duties?

Page 32: Effective Control Environments:

Definitions and Misconceptions (cont.)

0

Page 33: Effective Control Environments:

Definitions and Misconceptions (cont.)

In business, ignorance is not bliss.

Page 34: Effective Control Environments:

Segregation of Duties

Control Objectives – Taking the prevention of fraud and mistakes

seriously.

Page 35: Effective Control Environments:

Control Objectives

How much of your time is spent ‘fixing’ mistakes?

Page 36: Effective Control Environments:

Control Objectives

NO company grows ‘well’ in these back-end functions.

Page 37: Effective Control Environments:

Control Objectives

Effective controls help gain efficiencies that allow a company to cut costs

and/or position its existing resources to handle foreseeable growth without

increasing costs.

- The ability to grow WELL -

Page 38: Effective Control Environments:

Control Objectives

“Through the Auditor’s Goggles”

Page 39: Effective Control Environments:

Control Objectives

1. Companies seem to think that a formal SOD assessment is not necessary because the concept is so elementary or futile.

Page 40: Effective Control Environments:

Control Objectives

2. If attempted, done so using very poor assessment tools pulled from national firms’ rusty, generic template arsenals.

Page 41: Effective Control Environments:

Control Objectives

3. Management and consultants tend to come to the conclusion that there are few, or no significant SOD issues out of ‘thin air’.

Page 42: Effective Control Environments:

Control Objectives

4. Only the most obvious SOD issues are called out as a result of a walkthrough/process document and are often discounted as unavoidable due to the size of the organization.

Page 43: Effective Control Environments:

Control Objectives

5. Particularly in 404 implementations: a large portion of controls identified as ‘key’ are, in effect, a segregation of duties control.

– As much as 75%, if viewed through our goggles of ‘Segregation of Abilities’

Page 44: Effective Control Environments:

Control Objectives

The Paradigm Shift:• Performing an appropriate SOD assessment will

actually define and formally identify each of the existing issues and allow management to address them one by one.

• If the risk of loss (or potential liability) is small, management may choose to accept it, or it may be satisfied that an already existing, detective control is sufficient.

Page 45: Effective Control Environments:

Control Objectives

Remember:• The potential for FRAUD is at risk, so

identifying ALL possibilities and permutations and then deciding what is or isn’t a severe issue is more prudent than presupposing that there’s no way a particular process/area could result in a significant occurrence.

Page 46: Effective Control Environments:

Segregation of Duties

Assessment Methods

Page 47: Effective Control Environments:

Assessment Methods

From:

To:

Page 48: Effective Control Environments:

Assessment Process:

1. Identify all significant accounting-related processes (or, ‘cycles’)

2. Break these processes down into sub-process components, both transaction-level and general (i.e. steps in performing a check run vs. vendor creation)

Page 49: Effective Control Environments:

Assessment Process:

3. In a two-dimensional manner (one-to-one), compare each step to identify whether an individual performing both processes would have the ability to both obtain personal value and affect the recording of it and highlight the intersection of these functions. This is an area of ‘ideal SOD’.

Page 50: Effective Control Environments:

Assessment Process:

4. Identify which of these steps requires access, either physical or electronic, to perform.

a. For those steps that require neither, assume anyone can do them.

Page 51: Effective Control Environments:

Assessment Process:

5. For those steps that require either– Determine who has access to perform

each of these ‘steps’– Work with IT personnel to determine:

• Who has write access to these functions (not read-only)

Page 52: Effective Control Environments:

Assessment Process:

6. Summarize all of your potential issues (I guarantee there will be many) and identify the reasons why, if any, each issue is effectively mitigated.

Page 53: Effective Control Environments:

Assessment Process:

For High-Risk Areas:Again, FRAUD is at risk, so identifying

significant areas where proper segregation of duties can prevent an

occurrence (banking authority procedures) versus detect an occurrence is more prudent.

Page 54: Effective Control Environments:

Assessment Process:

Page 55: Effective Control Environments:

Segregation of Duties

Maintenance of the Assessment

Page 56: Effective Control Environments:

Maintenance of the Assessment

• Rolling the assessment forward and maintaining it on an ongoing basis is not difficult.

Page 57: Effective Control Environments:

Maintenance of the Assessment

• Once documented, rolling the assessment forward and maintaining it on an ongoing basis is not difficult.

• It could keep your company from appearing on the cover of the newspaper for the wrong reasons.

Page 58: Effective Control Environments:

Segregation of Duties

“It is intelligent to learn from your own mistakes.

It is genius to learn from others’”

Page 59: Effective Control Environments:

SAVE THE DATE: June 3rd

Whether your company is public or private, an effective control environment must be an objective and auditors are now required to make an assessment. However, there are few areas in which we all feel the benefits outweigh the costs to implement.

Two of these are: hiring competent personnel and safeguarding against rogue employees. When assessing the effectiveness of an entity’s control environment, auditors often look for indications that management takes these areas seriously.

Haskell & White LLP invites you to join us for a complementary breakfast and stimulating presentations by experts in these fields:

Lee S. Buby, CPAHaskell & White LLP, SOX 404 Practice LeaderPresents: When Good Employees Go Bad

O. Wade MesserMesser & Company, Inc., FounderPresents: Hire Right. Hire Once.

Date: June 3rd, 2008Time: 7:30am – 9:30amLocation: DoubleTree Hotel - Mission Valley

7450 Hazard Center Dr. San Diego, CA. 92108

Space is limited! Reserve your spot now by emailing: [email protected]

Page 60: Effective Control Environments:

16485 Laguna Canyon Road

3rd Floor

Irvine, CA 92618

T (949) 450-6200

F (949)753-1224

12707 High Bluff Drive

Suite 200

San Diego, CA 92130

T (858) 350-4215

F (858) 350-4218

THANK YOU